Project

General

Profile

Actions

Bug #3998

closed

HTTP2: invalid header anomaly

Added by David Beckett about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Low
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm getting a HTTP invalid_header anomaly on instagram. The alert doesn't seem to appear too often and it's hard to actually trigger it, so it's a low priority bug.

I've attached a pcap

jq '.event_type' /tmp/eve.json | sort | uniq -c | sort -n
1 "stats"
2 "flow"
21 "fileinfo"
24 "http"
31 "anomaly"

{"timestamp":"2020-10-05T07:04:51.102483-0400","flow_id":21414669293269,"pcap_cnt":276,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51824,"dest_ip":"157.240.18.19","dest_port":443,"proto":"TCP","tx_id":17,"community_id":"1:q/HxVAIJcyyaUnaba
Mfma6PfP3s=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_header","layer":"proto_parser"}} {"timestamp":"2020-10-05T07:05:06.816392-0400","flow_id":21414669293269,"pcap_cnt":306,"event_type":"anomaly","src_ip":"192.168.122.7","src_port":51824,"dest_ip":"157.240.18.19","dest_port":443,"proto":"TCP","tx_id":23,"community_id":"1:q/HxVAIJcyyaUnaba
Mfma6PfP3s=","anomaly":{"app_proto":"http2","type":"applayer","event":"invalid_header","layer":"proto_parser"}}
...


Files

insta_inv_header.pcapng (1.61 MB) insta_inv_header.pcapng David Beckett, 10/05/2020 11:15 AM
Actions #1

Updated by Philippe Antoine about 2 years ago

Could you test with the following patch ?


diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
index 9a0330103..8b4112ead 100644
--- a/rust/src/http2/http2.rs
+++ b/rust/src/http2/http2.rs
@@ -466,17 +466,19 @@ impl HTTP2State {
                     Ok((_, set)) => {
                         for i in 0..set.len() {
                             if set[i].id == parser::HTTP2SettingsId::SETTINGSHEADERTABLESIZE {
-                                //set for both endpoints ? to be tested
-                                self.dynamic_headers_tc.max_size = set[i].value as usize;
-                                self.dynamic_headers_ts.max_size = set[i].value as usize;
+                                //reverse order as this is what we accept from the other endpoint
+                                let dyn_headers = if dir == STREAM_TOCLIENT {
+                                    &mut self.dynamic_headers_ts
+                                } else {
+                                    &mut self.dynamic_headers_tc
+                                };
+                                dyn_headers.max_size = set[i].value as usize;
                                 if set[i].value > HTTP2_MAX_TABLESIZE {
                                     //mark potential overflow
-                                    self.dynamic_headers_tc.overflow = 1;
-                                    self.dynamic_headers_ts.overflow = 1;
+                                    dyn_headers.overflow = 1;
                                 } else {
                                     //reset in case peer set a lower value, to be tested
-                                    self.dynamic_headers_tc.overflow = 0;
-                                    self.dynamic_headers_ts.overflow = 0;
+                                    dyn_headers.overflow = 0;
                                 }
                             }
                         }

Actions #2

Updated by Philippe Antoine about 2 years ago

For information, this pcap is the first one I see with asymmetric header table size : 65536 for the client and 4096 for the server
See with Wireshark filter http2.settings.id == 1

But I am not sure how to interpret http2.header_table_size_update

Actions #3

Updated by David Beckett about 2 years ago

Ah ok, it doesn't seem common for website to use asymmetric table sizes, especially that small, but it's definitely part of the spec. I've tested your patch and it seems to work fine now for the attached pcap, further Instagram browsing and for a few dozen other websites

Actions #4

Updated by Philippe Antoine about 2 years ago

  • Status changed from New to In Review
  • Target version set to 6.0.0
Actions #5

Updated by Victor Julien about 2 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF